Risk Assessment Process

The Security Risk Assessment Process

In our last blog post we defined security risk assessment, we mentioned who should run a cyber risk assessment and why is necessary to perform such assessments at least once a year. The next step in our analysis includes relevant details of the risk assessment process.

The Extent of The Security Risk Assessment

The first step of the process is to determine the scope and the limits of the assessment. This can encompass an entire organization, an operating unit, a subdivision, or certain components like the payroll process.

Once you determine the extent, you need to inform all relevant executives, particularly those whose activities fall within the scope of the assessment. Their input is crucial to identifying the relevant processes and assets, locating risks, assessing impacts, and defining risk tolerance levels.

All parties involved in the assessment process should learn the relevant terminology, including risk likelihood and impact (the risk matrix). It helps standardize and ensures accurate communication. In addition, organizations should review risk management frameworks like NIST SP 800-37 and standards like ISO / IEC 27001 for guidance on security controls implementation.

Threat and Vulnerability Identification

Simply put, a vulnerability is a weakness that exposes your organization to potential threats.

A threat is any event that can damage your company’s assets or processes.

Vulnerabilities can be identified using several methods including automated scanning, performing security audits, penetration testing, vendor security advisories, following application security testing protocols, etc.

Your analysis should cover as many types of flaws as possible, such as technical, physical, and process flaws. For instance, a company that does not have physical access control is vulnerable to physical intrusion, while a connected device that does not have malware protection is vulnerable to cyberattacks.

Analyze Risks and Potential Impact

The third step of the process is to determine how the risk scenarios your team has identified can impact the organization. In security risk assessment, potential risk (the probability that a particular threat can exploit a vulnerability) is calculated based on several factors:

  • Ease of exploitability
  • Discoverability of the security weakness
  • Threat occurrence (some threats occur only once while others are recurring)
  • Prevalence of the threat in the industry
  • Historical security incidents.

Prioritize Risks

A risk matrix can be used to classify each risk scenario based on likelihood and impact. It is crucial to define a risk tolerance ratio and specify which threat scenarios should be addressed by third parties along with other relevant details, such as preliminary measures, specific security protocols, etc.

Based on the risk matrix you can choose one of three actions:

Avoid – if the risk level is low and it is not worthwhile to mitigate it, you may decide to take no action.

Transfer – if the risk is significant but difficult to mitigate internally by your designated team, it is advisable to share the risk by transferring responsibility to a third party, by contracting an outsourced security service.

Mitigate – all risks that can be addressed internally should be handled accordingly. You can do this by implementing specific security controls and other similar measures.

Note! Security risk assessments usually include a certain level of residual risk that will be either missed or not fully addressed mainly because of the complexity of certain emerging threats. Therefore, business executives should be aware of this and always refer to residual risk within the organization’s cybersecurity plan.

Document All Risks

It is extremely important to document all identified risks. All findings should be reviewed and updated regularly to provide visibility and for maintaining the state of security.

Risk documentation usually includes relevant details of the risk scenario, information about the existing security controls, the risk level, the risk mitigation plan, the residual risk expected, etc.

Also, every risk category should have a risk owner, basically a person or a team responsible for keeping the threat to an acceptable level.

Organizations must discover and address any emerging threats in a timely manner. Therefore, a solid initial security risk assessment will provide a good basis for any further assessments.


Security risk assessment is a large and ongoing effort which requires time, resources, and more than anything, a professional approach. For more related information, please reach out to StratusPointIT.